- Entries : Category [ Security ]
or how I disagree with some things...
Some days ago I decided to try Firefox 3.0-beta4. At first I was impressed about it's performance, it is really fast tested against the latest version of the 2.0 branch.
Another big point in version 3 is that it doesn't seem to swallow RAM like the 2.0 version. Now I can use the browser even after leaving it opened 2 or more days (in OSx and in FreeBSD leaving Firefox opened from one day to another ends in a almost unusable browser cause it renders itself quite slow).
That's all pretty good, Firefox3, the next generation of a great browser... until I tried to connect to my own webmail service...
Then I realized that the Firefox developers decided to take an approach when dealing with self-signed web certificates very similar to that of the infame IE7.
When you try to access an https website that uses a self-signed cert, you will get something like that:
WTF!, it is the same kind of message firefox shows when a given domain name does not resolv or when you can't connect to a no-response web server, THAT'S VERY CONFUSING FOR END USERS!.
Of course, you can add a security exception, for that, you only have to click on the link in that page I've showed you (o puede añadir una excepcion in spanish), then you will see something like:
More ugly and scaring error messages, you click on add exception (añadir excepcion in spanish) to get to another window where you will see the URL you were trying to connect to:
There, you will have to push the get certificate button (obtener certificado) to get another error message:
So, what? I'll tell you my point of view. Imagine you have a website where you offer a service to your customers. That website requires that your customers provide some login information to use the website, so you set up a secure web server certificate using OpenSSL in your web server. OK, your website is secure now.
Your customers are using the website using Opera or Firefox 2, the first time they connect to the website they got a message asking them about installing a security certificate, they took a look over the cert, pressed Ok, and they are done.
Now they upgrade their Firefox browser and try to use the same website... what will happen then? an ugly and scaring message about that website being not trustable and what is worse, a long 4-window process to be able to access that website, a process that could be difficult to follow for non-techie users.
So, Why do they have to change something that was working perfectly in earlier versions? I do not know, but I don't think that was a good idea (IMHO).
(well, I can think about a reason, the same reason some companies ask for 300$-500$ if you want to get a valid web server certificate).
Firefox3, ssl certs and nic.es
or may I say I already told you about that...
Some days ago I wrote some lines about the new version of the Firefox web browser and how it handles self-signed ssl certificates.
Now, I've a perfect example of that problem, nic.es, the .es domains registrar. If you try to access http://www.nic.es using Firefox3, you will see something like:
Malware and cryptography
or how to bring them all on their knees!
Some time ago, I was a usual reader of security sites, mailing lists and public advisories. Sadly for me, I didn't have the time lately to keep reading about security.
Anyway, today I've found an interesting post in one of the blogs I usually read, the one from Ivan Krstić. In this post Ivan covers the use of cryptography in malware and viruses, pointing to a variant of Gpcode, called Gpcode.ak which, once a system is infected, encrypts every user file/document, leaving a note asking for some money if the user wants to get the files back. Impressive.
From Ivan's post:
it creates a unique 128-bit RC4 (Arcfour) key on each machine and uses a random initialization vector for each file it targets. The IV is written to the beginning of the file, encrypted by the per-machine key, run through MD5, and the output constitutes the per-file key, used to encrypt each file with RC4. At the end, the main per-machine RC4 key is encrypted with a 1024-bit RSA public key which the malware carries within its payload.
Seems this has been around for a while now, but it's the first time it catches my eye.
Of course, I agree with the idea that the problem behind this is not the fact that the malware/virus uses advanced cryptography, but the fact that people use insecure software and insecure operating systems (or broken ones, if you prefer).
Luckily for me, I'm not one of those.
Why you should use NoScript
Sounds simple, right? Well, NoScript has a lot more features and options, feel free to install it and take a look at its documentation and features, it is really worth it.
Well, the answer is for security reasons. Exactly as when I do a network firewall setup, I prefer to go with a block by default, then allow what is needed policy in my browser. I think this is a very good idea, specially if you take in account things like this bugs here: